CVE-2021-4134

Public Exploit

Fancy Product Designer <= 4.7.4 Admin+ SQL Injection

Description

The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.

Remediation

Solution:

Update to version 4.7.5 or newer.

References

Link	Tags
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4134	third party advisory exploit
https://support.fancyproductdesigner.com/support/discussions/topics/13000031264	release notes vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-4134?: CVE-2021-4134 has been scored as a high severity vulnerability.
How to fix CVE-2021-4134?: To fix CVE-2021-4134: Update to version 4.7.5 or newer.
Is CVE-2021-4134 being actively exploited in the wild?: It is possible that CVE-2021-4134 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-4134?: CVE-2021-4134 affects Fancy Product Designer Fancy Product Designer .

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

Frequently Asked Questions